There is a sea change underway in the managed security services marketplace. This change is from a premises-based model to a cloud-based one. The traditional managed security services model works like this. An organization that does not have the resources or desire to manage its own security devices will contract with a managed security services provider (MSSP) to do it for them. Taking the firewall as an example, the MSSP places a firewall at the customer premises, configures and manages it remotely for the customer in exhange for a monthly fee. The customer does not have to purchase any hardware or software, perform any maintenance, or manage it in any way. They may receive periodic reports or may be contacted in the event of a fault, but for the most part they are happy knowing this part of their network security is being managed for them.

There are several problems with this type of premises-based service:

First, it is not very efficient. It often requires feet on the street to resolve hardware problems which can eat into profits. And premises-based devices can be difficult to manage remotely. Also, it doesn’t make sense to setup a firewall at the customer site to block traffic that could just as easily be blocked at the other end of the circuit before it even reaches the customer’s network.

Second, it does not address an increasingly mobile workforce. This is particularly true for services geared toward endpoint security. What good does it do to have a proxy or secure web gateway at headquarters if remote staff access the Internet directly? Sure, you can back haul traffic via a VPN, but this can cause performance issues.

Third, premises-based solutions do not scale well. It becomes increasingly difficult to effectively manage hundreds or even thousands of premises-based devices.

To address these issues, MSSPs have begun moving their security services into the cloud. This means that there is no need to place any hardware at the customer site. Turn-up is usually quick and painless which is a positive for the customer as well. An early example of a cloud-based security service is email anti-virus and anti-spam. Several vendors, such as Postini, route customer email through their network where it is scanned and cleaned before being routed to the customer. This same model is being used by companies such as ScanSafe who proxy their customers’ web traffic through their networks and perform AV scanning, URL filtering, anti-phishing and other security services on behalf of their customers.

But most of these companies have been focused on a single service such as anti-spam or anti-virus. And now ISPs have begun to realize that they can provide these services as well. In fact, many of the largest ISPs on the planet also provide premises-based security services and they see a huge market for cloud-based services. If they are already providing Internet services to a customer, why not also protect their traffic? Need a firewall, we can do that. Need IDS, we got that. URL filtering? No problem. For the customer it is seemless. And for the ISP it is additional revenue with little additional cost. This transition is already underway. Expect to see more and more cloud-based security services being offered from ISPs in the very near future.